Only 5% of organizations successfully repel attacks and have recouped investments in security
The number of successful hacks, despite the increase in companies’ cybersecurity costs, has increased over the past year. Experts suggest that businesses focus their efforts and funds on combating the most critical types of hacking

Over the past year, on average, one company has faced 270 cyber attacks, which is 31% more than in 2020, according to a study by the consulting company Accenture (conducted from March to April this year in 18 countries among more than 4.7 thousand CEOs of companies with an annual turnover of at least $ 1 billion from 23 industries).

Out of the total number of cyber attacks on one company, on average 29 were successful, that is, attackers gained access to data, services, networks or devices. This is almost 32% more than last year. At the same time, 82% of respondents said that over the past year their companies have increased their budget for cybersecurity. Of these, 22% increased these costs by 10-24%, and 3% – by more than 25%.

Among the companies surveyed by Accenture, 55% were vulnerable to cyber attacks, that is, they do not prevent them effectively enough and eliminate vulnerabilities too slowly. As one of the reasons, the authors of the study point out that companies “too often focus on the speed of business development, sacrificing security and creating a lot of risk.” In addition, they propose to extend information protection measures to the entire ecosystem of companies, including partner networks, since a large number of hacks occur through the supply chain — the number of successful hacks through partners has increased from 44 to 61%.

Companies that successfully repel cyber attacks and have recouped investments in security, the so-called cyberchampions, turned out to be only 5% of respondents. As a rule, in such companies, the head of the information security department reports directly to the CEO and the board of directors, communicates closely with the CFO, he is more free in matters of how to manage the budget for automation, without his opinion, a new product cannot be released to the market. Such companies evaluate the level of effectiveness of their cyber defense system at least once a year and pay special attention to security issues during the transition to the cloud.

“There are still companies in Russia that have not fully implemented even a basic or “gentleman’s” set of protection measures, not to mention a layered defense system against cyber attacks,” says Andrey Tymoshenko, head of Accenture’s information security practice in Russia. “But there are also their own “cyberchampions— – companies that are more in the focus of cybercriminals’ attention than others and actively invest in security.” In his opinion, in conditions of limited resources — time, qualified personnel, funding – it is necessary to set priorities correctly to ensure cyber resilience.

How much is spent on cybersecurity

According to the analytical company Canalys, the volume of the global information security market in 2020 amounted to $54.7 billion. In 2021, analysts expect an increase of 10%, up to $60 billion, in a positive scenario, and by 6.6%, up to $57.7 billion, in a negative scenario. The company noted that the number of data leaks and ransomware attacks last year reached its historical maximum due to incorrect configuration of cloud databases and vulnerability to phishing of employees transferred to the remote. This year, their forecast provides for the continuation of this trend.

Representatives of Russian companies in the field of cybersecurity agree with the conclusion that companies remain vulnerable, despite the increase in information security costs. The representative of Positive Technologies noted that external attackers can penetrate the network of 93% of companies. “Current approaches to building information security in organizations are often reduced to the introduction of individual measures and systems aimed at increasing the overall level of security of the company, and this level is measured in percentages or percentage points. Unfortunately, this approach does not allow us to be sure that in practice a real cyberattack will be detected and stopped,” says Evgeny Gnedin, head of the analytics department at Positive Technologies. According to Positive Technologies, in 2020, the number of cyber attacks increased by 51% compared to 2019 and continued to increase in 2021.

According to Alexey Pavlov, deputy director of the center for countering cyberattacks at Rostelecom’s Solar JSOC, the speed and dynamics of still undescribed vulnerabilities in companies “is growing and reaches several hours.” “In the best case, software updates will allow you to close only critical errors on the perimeter (and then not always in a timely manner), but they will not fix absolutely all the shortcomings and will not eliminate the human factor. Social engineering is becoming more and more popular, especially now, when many companies remain remote. Of course, companies conduct employee training and, as practice shows, the effectiveness of phishing after training is halved, but it is still possible to find an approach to almost any employee and force them to open an attachment,” Pavlov is pessimistic.

Director of Growth BI.Rustem Khayretdinov suggests that the existing tools to protect against cyber intruders cope with their task, but “their work takes place exclusively at the moment, without taking into account the fact that the system may change when new introductory ones appear.” “Cybersecurity should be built in at the design stage and work proactively, taking into account the dynamic changes in the objects of protection,” he said.

According to Alexey Pavlov, companies should set a goal to protect themselves from risks that are unacceptable for their business, that is, to understand what types of attackers it may be interesting and what attack vectors they can choose, and depending on this, choose the appropriate approach to protection. It is necessary to direct the main efforts and investments to prevent events that are really unacceptable for business, Evgeny Gnedin agrees.

Leave a Reply

Your email address will not be published. Required fields are marked *